SharePoint 2013 Host Named Site Collections over SSL

Overview

The following will outline the procedures to create Host Named Site Collections (HNSC) in a SharePoint 2013 web application that leverages SSL certificates using Subject Alternative Names (SAN’s) instead of a wild card entry which is considered to be a more secure solution.

In this example the SharePoint 2013 farm contains more than one web application that uses SSL over port 443 and as a result will require a separate IP address to be bound to each SSL based web application and it’s corresponding IIS site. To enable this configuration the following steps will need to be performed:

  • Request the certificate using the Certificate Enrollment Wizard
    • Enable the Web Server Template (if necessary)
  • Create DNS A Records for the Web Application and HNSC
  • Create Web Application to Host HNSC’s
  • Create Host Named Site Collections
  • Assign IP Address’s
    • Add IP address to the WFE network adapter properties
    • Add IP address to the web applications IIS site bindings
  • Test Sites over HTTP
  • SSL Binding
  • URL Mapping

Create Domain SSL Certificate Using Windows 2008 R2 Certificate Services

Windows Certificate Services will be used to issue the certificate for the HNSC web application and will also include a SAN entry for each Site Collection. The Certificate Enrollment wizard will be used to create the certificate and additional methods such as provisioning the certificate through the command console, requesting through the web portal or automatically deploying to machines in the domain will not be covered.

Enable the Web Server Certificate Template

By default the Web Server template is not available when creating new certificates through the Certificate Enrollment wizard and the option will be greyed out just prior to the final enrollment step. If this is the case an error similar to the one below will be displayed:

clip_image002

In order to enable the “Web Server” template the Computer Account of the server from where the certificate will be requested needs to have the “Enroll” and “Read” permission assigned to it. For example the certificate could be requested from one of the SharePoint WFE servers and in order to do so the computer account of the SharePoint WFE, or an AD group containing all the SharePoint WFE servers, would need to be granted the “Read” and “Enroll” permissions.

  1. Log onto the CA server and open the Server Manager console. Navigate to Roles > Active Directory Certificate Services > “[Server Name]” > Certificate Templates:

clip_image004

2. In the right hand pane select More Actions –> Manage under the “Certificate Templates” section to launch the Certificate Templates MMC:

clip_image006

3. Within the Certificate Templates MMC right click the “Web Server” template and select “properties”.

clip_image008

4. In the “Web Server Properties” dialog select the “Security” tab followed by the “Add…” button. From the “Select Users, Computers, Service Accounts, or Groups” dialog add the SharePoint WFE server from where the certificate will be requested. Once it’s added to the list of users add the “Read” and “Enroll” permission and click “OK”.

clip_image010 clip_image012

Request Certificate

Now that the “Web Server” template has been enabled, logon to the Web Front Server the next step is requesting the certificate.

1. Log on to the server as a member of the local Administrators group.

2. Click the “Start Button” –> Search –> mmc.exe

clip_image014

3. From the MMC console click File –> Add/Remove Snap-in…

clip_image016

4. Highlight “Certificates” and click “Add”

5. From the “Certificates snap-in” dialog select the “Computer account” radio button followed by “Next”.

clip_image018

6. Select “Local computer: (the computer this console is running on)” and click “Finish”.

7. Click OK

8. In the console tree, expand “Certificates (Local Computer)” followed by the “Personal” folder.

9. Right click the “Certificates” folder, expand “All Tasks”, and then click “Request New Certificate” to start the enrollment wizard.

clip_image020

10. On the “Certificate Enrollment” dialog click “Next”

11. Select the “Active Directory Enrollment Policy” and click “Next”

12. Select the “Web Server” template followed by clicking the “More information is required to enroll for this certificate. Click here to configure these settings” link.

clip_image022

13. The “Certificate Properties” screen will launch.

14. On the “Subject” tab there is a caution icon indicating that the information on the tab is mandatory.

15. In the “Subject Name” section select the “Common Name” option in the “Type” drop down and enter in the fully qualified domain name (FQDN) of the server or alias.

In this example the DNS A record for the web application, hnsc.2008r2.local, will be entered.

16. Click the “Add” button.

clip_image024 clip_image026

17. In the “Alternative name” area under the “Type” section, select “DNS” from the dropdown menu

18. In the “Value” field enter the FQDN of the root site collection (in my example rootsite.2008r2.local) and click “Add”.

clip_image028 clip_image030

19. Repeat step 16 for each site collection that will be accessed over SSL in the HNSC web application. Each entry will be added as a Subject Alternative Name (SAN) to the requested certificate.

clip_image032

20. Click OK

21. Verify the “Web Server” template is selected and click on the “Enroll” button to process the certificate request.

clip_image034

22. Click “Finish”. The certificate is now displayed in the console:

clip_image036

23. To verify the SAN’s were added correctly, right click the certificate and select “Properties”.

24. Select the “Details” tab and navigate down to and select the “Subject Alternative Name” entry.

clip_image038

Create DNS A Records

This step will consist of creating DNS A records for the HNSC web application and well as each individual site collection. It’s typically a good idea to create these DNS entries as “HOST A” records instead of CNAME alias’s because of the issues that Kerberos has with CNAME’s

The example with use Active Directory DNS and will use a different IP from the other web applications hosted in the same farm, however each HNSC under the web application will share the same IP address as the HNSC web application.

1. Go to “Start” –> “All Programs” –> “Administrative Tools” –> “DNS” to launch the “DNS Manager”.

2. Go to “<Domain Controller>” –> “Forward Lookup Zones” –> “<Your Domain>”

3. Right click the targeted domain name and select “New Host (A or AAAA)…”

clip_image040

4. In the “Name” field enter in the name that will be used for the HNSC web application followed by the unique IP address. The name will be automatically appended to the domain name in the “Fully qualified domain name (FQDN):” field.

In this example its hnsc.2008r2.local and I’ll use 192.168.153.14 since it’s not in use.

5. Click “Add Host” to create the entry.

clip_image042

6. Repeat this step for each site collection that was defined in the SAN entry of the certificate created in the previous step.

7. Verify the DNS entries were added for the web application and each site collection defined in the SSL certificate.

clip_image044

Create Web Application for HNSC’s

The next step is to create a web application that will contain HNSC’s and will respond over either port 80 or 443. Verify that the account being used meets the following requirements:

1. Verify the account being used to create the web application meets the following requirements.

  • Member of the securityadmin fixed server role on the SQL Server instance.
  • Member of the dbcreator fixed server role on the SQL Server instance.

2. Launch the “SharePoint 2013 Management Shell”

clip_image046

3. To create the web application issue the following command using the New-SPWebApplication cmdlet:


New-SPWebApplication -Name 'SharePoint HNSC Sites' -hostHeader 'hnsc.2008r2.local' -port 80 -ApplicationPool HNSCAppPool -ApplicationPoolAccount (Get-SPManagedAccount '2008r2\SP_WebApps') -AuthenticationProvider (New-SPAuthenticationProvider -UseWindowsIntegratedAuthentication)

4. Verify the command completed successfully

clip_image048

Create Host Named Site Collections

A HNSC cannot be created in Central Admin and instead needs to be provisioned through PowerShell. The first site collection provisioned will become the root site collection which is required for search.

1. In this example a HNSC called “Root Site” will be created as “rootsite.2008r2.local” by issuing the following command:

New-SPSite 'http://rootsite.2008r2.local' -HostHeaderWebApplication 'http://hnsc.2008r2.local' -Name 'Root Site' -Description 'Root Site Collection' -OwnerAlias '2008r2\SP_Admin' -language 1033 -Template 'STS#0'

2. Verify the command completed successfully:

clip_image050

3. Repeat the steps for each of the site collections identified in the SSL certificates Subject Alternative Names and also the DNS A records previously created.

clip_image052

At this point none of the sites listed above will render. The IP address assigned to the DNS A records that were previously created needs to be bound to the IIS site hosting the http://hnsc.2008r2.local web application and also to the network adapter on the WFE server.

Add IP Address to Network Adapter Properties

The IP address assigned the DNS A records needs to be added to the network adapter properties on the SharePoint 2013 WFE server used in this example.

4. Click “Start” –> Type “View network connections” to bring up the network adapters in the server.

clip_image054

5. Right click the network adapter and select “Properties”.

clip_image056

6. Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”.

clip_image058

7. On the “Internet Protocol Version 4 (TCP/IPv4) Properties” screen click the “Advanced…” button.

8. On the “Advanced TCP/IP Settings” dialog box click the “Add…” button in the “IP Address” section.

9. In the “TCP/IP Address” dialog box enter the “IP address” and “Subnet mask” and click the “Add” button.

clip_image060

10. Click “OK” on the “Advanced TCP/IP Settings” screen.

11. Click “OK” on the “Internet Protocol Version 4 (TCP/IPv4) Properties” screen.

12. Click “Close”.

The IP address is now added to the network adapter.

Add IP Address to IIS Site Bindings

Now that the IP address has been added to the network adapter settings it can be bound to the IIS site hosting the HNSC web application.

1. Launch “Server Manager” and navigate to “Roles” –> “Web Server (IIS)” –> “Internet Information Services (IIS) Manager”.

clip_image062

2. In the “Internet Information Services (IIS) Manager” screen navigate to “<Server Name>” –> “Sites” and highlight the name of the IIS site hosts the HNSC web application that was previously created.

3. In the Actions pane click on the “Bindings…” link:

clip_image064

4. Highlight the entry for the HNSC web application and click on the “Edit” button.

clip_image066

5. On the “Edit Site Binding” screen select the dropdown from the “IP address:” field, select the IP address used for the HNSC web application and its corresponding site collections, followed by clearing out the “Host name:” field and click “OK”.

clip_image068

6. Click “Close”

Test Sites over HTTP

So far we have gone through the following steps

  • Created a SSL certificate with SAN’s
  • Provisioned a new web application for the host named site collections
  • Provisioned the individual HNSC’s
  • Created DNS A records for the web application and site collections
  • Configured the network adapter properties to use the new IP address
  • Configured the IIS binding to use the new IP address.

At this point the host named site collections that were previously created should now render over HTTP. Verify this step before configuring the sites to render over SSL.

clip_image070

SSL Binding

The SSL certificate that was previously created should already be imported into the local certificate store on the WFE since that is where the certificate was requested from. To verify this perform the following steps:

1. Open “Server Manager”

2. In “Server Manager” navigate to “Roles” –> “Web Server” –> “Internet Information Services”.

3. In the “Connections” section click on the name of the server followed by double clicking on the “Server Certificates” feature:

clip_image072

4. Verify the HNSC certificate that was created earlier is listed under “Server Certificates”:

clip_image074

Now that the SSL certificate exists in the local certificate store go to the IIS Administration console and bind it to the site.

1. Open “Server Manager”

2. In “Server Manager” navigate to “Roles” –> “Web Server” –> “Internet Information Services”.

3. In the “Connections” section click on the name of the site hosting the HNSC web application and click on the “Bindings” link in the “Actions” pane:

clip_image076

4. On the “Site Bindings” screen click on the “Add…” button to add a new HTTPS entry.

clip_image078

5. Configure the following:

  • “https” in the “Type:” field
  • The IP address
  • Select the “HNSC” certificate that was created previously
  • OK

clip_image080

6. Verify the entry was added and click “Close”

clip_image082

URL Mapping

The final step consists of mapping the HTTPS based URL’s to the HNSC’s which will basically add an Alternative Address Mapping (AAM) for each site collection in the zone specified.

1. Execute the following command to map to HTTPS address of the Root Site to the HTTP site collection:

Set-SPSiteUrl (Get-SPSite 'http://rootsite.2008r2.local') -Url 'https://rootsite.2008r2.local' -Zone Extranet

2. Repeat for each site collection:

Set-SPSiteUrl (Get-SPSite 'http://teams.2008r2.local') -Url 'https://teams.2008r2.local' -Zone Extranet

The host named site collections should now render over HTTP or HTTPS while leveraging a SSL certificate with Subject Alternative Names.

clip_image084

Tagged with: , ,
Posted in HNSC, SharePoint 2013, SSL
10 comments on “SharePoint 2013 Host Named Site Collections over SSL
  1. Ashish says:

    Excellent info very useful.

    Thanks

  2. Kelechi I. Oparaji says:

    Great blog, after many failed searches, this was exactly what I was looking for. Thank you.

  3. […] a previous post, “SharePoint 2013 Host Named Site Collections over SSL”, I outlined the procedures of setting up HNSC’s with SSL, but also mentioned the fact that in the […]

  4. […] a previous post, “SharePoint 2013 Host Named Site Collections over SSL”, I outlined creating a HNSC however it appears when creating a site collection through […]

  5. westerdaled says:

    Hi this is good post. I did notice you haven’t extended any web applications. Was there a reason for not doing this?

  6. Aaron says:

    Awesome Post. Thank you very much and extremely helpful.

    You helped me on getting the SSL certificates working–which I was struggling with.
    Aaron

  7. zandr says:

    Hi Jason,

    Thanks for the post, it’s very helpful. My scenario is slightly different as I’m trying to get SSL working for different external domains. Here’s what I’m trying to achieve:

    https://portal.client1.com -> Off-Box SSL Termination -> http://client1.domain.com
    https://portal.client2.com -> Off-Box SSL Termination -> http://client2.domain.com

    Each client has it’s own SSL cert (not SAN), and would be stored on the Off-Box SSL Termination appliance.
    The internal domain is a valid TLD (with a wildcard certificate available).

    Is it possible to map a Site URL to the HNSC internally (?) as follows:

    Default – http://client1.domain.com
    Custom – https://portal.client1.com

    Initially, I created the internal HNSC using the external identity but retaining “HTTP” as the scenario included Off-Box SSL, but I was getting tons of errors. Here’s what I initially had:

    Root HNSC -> http://root.domain.com
    https://portal.client1.com -> Off-Box SSL Termination -> http://portal.client1.com
    https://portal.client2.com -> Off-Box SSL Termination -> http://portal.client2.com

    What do you recommend I should implement to be able to map any external domain w/ SSL to an internal HNSC using one Web Application while being supported by Microsoft?

    Any guidance would be much appreciated!

    Thanks-

  8. Omid Mohammadi says:

    Hi, you guides has been very helpful and much appreciated. I just have an issue in my HTTPS Web Application which hosts HNSCs. Search doesn’t work. I’ve followed your instruction on configuring Search on HTTPS and it works for path base sites. And also i have no problem with search indexing the root site collection for the new web application. But crawler can not access my HNSC sites and I receive an error which states “Access is denied.”

    • Aaron says:

      Omid,
      I had the same issue with search. The end result of my issue was is that I did not have the DNS bindings set correctly for http and https. You will want to make sure you (and the search engine) can access both the http and https.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: